Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Will Now Hide Personal Medical Records From Search Results (betanews.com)

Posted by msmash on from the about-time dept.

Mark Wilson, writing for BetaNews: Google has updated its search policies without any sort of fanfare. The search engine now "may remove" -- in addition to existing categories of information -- "confidential, personal medical records of private people" from search results. That such information was not already obscured from search results may well come as something of a surprise to many people. The change has been confirmed by Google, although the company has not issued any form of announcement about it.

13 of 34 comments (clear)

  1. Plugging leaks. by Anonymous Coward · · Score: 1

    That's nice. Now send notices to all the leaks.

  2. Hiding results is all fine, but... by Lead+Butthead · · Score: 3, Interesting

    But do they still index and keep copies of it in house? (I bet real money they do.)

    --
    ELOI, ELOI, LAMA SABACHTHANI!?
  3. About damn time. by Anonymous Coward · · Score: 1

    I was really sick of my Hep C problems showing up when people I'm dating Googled me.

  4. Better Question by Voyager529 · · Score: 4, Insightful

    Better question: Why are such records stored on servers sufficiently accessible that Google can index them in the first place?

    1. Re:Better Question by Kazoo+the+Clown · · Score: 2

      People end up uploading their own information to public servers without realizing it. Or others, legitimately handling the information may end up not intending to make it public but store it in a location that ends up being insecure. This move by Google just sweeps it under the rug-- if it's publicly accessible, hiding it from search results doesn't make it suddenly inaccessible, it just means you can't use Google to find it. Only Google would think that makes it hard to find. If it's personal health information, it must have a "person" identified, and that person could, theoretically, be notified so they can "fix" the problem, or at least decide if they care...

    2. Re:Better Question by Gravis+Zero · · Score: 1

      Better question: Why are such records stored on servers sufficiently accessible that Google can index them in the first place?

      Because there are no penalties for shitty security.

      --
      Anons need not reply. Questions end with a question mark.
    3. Re:Better Question by clodney · · Score: 3, Interesting

      Better question: Why are such records stored on servers sufficiently accessible that Google can index them in the first place?

      Because there are no penalties for shitty security.

      Maybe, maybe not. In the USA, the HIPAA acts governs how medical providers and affiliates are required to deal with PHI (protected health information). There are indeed significant penalties associated with disclosure of PHI, and there is no exemption for malware or other bad actors. Even more alarming for the healthcare industry, HIPAA includes *personal* liability, not just corporate liability (http://managedhealthcareexecutive.modernmedicine.com/managed-healthcare-executive/content/tags/hipaa/hipaa-rule-makes-you-personally-liable), so PHI security is taken very seriously.

      But HIPAA doesn't govern what I can do with my own medical records - if I want to post them on a publicly accessible website that is just fine. And since records are required as input to all sorts of medical research and software development projects, anonymized and pseudonymized data is everywhere. I have personally seen CT studies claiming to be for Frodo Baggins, Meriadoc Brandybuck, and Daffy Duck. Those are not PHI and are not an issue under HIPAA, but I don't know whether or not Google would be smart enough to recognize these as not actual medical records.

    4. Re:Better Question by clodney · · Score: 1

      In practice HIPAA is rarely used against "bad actors". In just about every single hospital encounter my family has been involved with HIPAA was violated multiple times by doctors and nurses (multiple different patients, different doctors, different hospitals). Some of the breaches family members cared about, others were "harmless" but violations nonetheless.

      When I referenced "bad actors", I meant that the health system is not absolved of responsibility if they get hacked - it is still a breach, and they are still liable. The bad actors who committed the breach would be liable under other laws like CFAA, but didn't have the duty to safeguard PHI in the first place.

      Sorry to hear about your experiences with HIPAA violations. I work with the IT groups of hospital systems, and those people are terrified of HIPAA violations. There are pretty broad exceptions to HIPAA relating to delivery of care, and I can well believe that translates to more casual attitudes at the point of care. FWIW, I think they PHI notice you have to be given by the hospital should include contact information on how to make a complaint if you want to follow up.

  5. All of which gives me a great product idea. by cunina · · Score: 1

    Specifically, a pay-per-use search engine that only indexes personal medical records. Want to deny coverage? Want to reject a job applicant? Want to filter your next Tinder date? MediSnoop them!

  6. A better public service... by Gilgaron · · Score: 1

    Do they also try to contact the webmaster and warn them that all their HIPA data is web accessible?

  7. Better idea: by nuckfuts · · Score: 1

    Medical service providers don't store personal medical records where web crawlers can access them.

  8. Am I The Only One... by RobotRunAmok · · Score: 1

    who read this and said "Now?" "Whaddya mean, 'NOW??'"

  9. Re:HIPAA Violations by Scarletdown · · Score: 1

    But more likely, they would violate the reporters instead.

    --
    This space unintentionally left blank.